Open source vs Privacy

On December 18, 2019, the tech world was treated to a somewhat unprecedented announcement of cooperation among giant tech rivals who are usually trying to undercut and outdo one another. Amazon, Apple, and Google have all joined hands to sing Kumbaya with them Zigbee Alliance to develop a uniform standard for the internet of things. The new standard will build device communication standards on top of internet protocol and is called “Home over IP.” Development is slated to take an open-source approach and one of the goals is to open the ecosystem to more participants.

This is an impressive move but maybe it shouldn’t be too surprising when we consider that there is now more clamor than ever for big tech to be punished for anti-competitive market behavior. This move can be used to show that, at least with regard to IoT (internet of things), big tech is fostering and promoting competition, instead of stifling it.

Although the news release makes vague reference to “security” as a fundamental requirement of the project, the word privacy is not mentioned once. Let’s remember that this is the technology that literally controls who can enter and exit your home. The risk associated with hacking is much more immediate and easily understood by the consumer when compared to the micro-targeting that Google, Facebook, and Amazon have foisted on us.

This is the downside of open source building. When the instructions sheet is freely downloadable from GitHub, the hypothetical adversary has a bit of a headstart in figuring out what’s necessary to break in. The upside is that development gets an injection of energy that has now been proven to accelerate growth.

The answer seems to be a balance where open-source building continues, but with express acknowledgment of its security limitations and challenges. When we look at current vulnerabilities in IoT projects, the numbers are worrying. The 2018 Synopsis OSSRA (Open Source Security and Risk Analysis) found that 77% of IoT projects have source elements. These projects had an average of 677 vulnerabilities per application.

GDPR and California’s new privacy law will help somewhat. These laws provide significant disincentives for having unsecured projects in the form of steep fines. IoT building, even with open-source elements, will have to get better, but it will take time. We have yet to see what an EU enforcement action looks like under GDPR.

This brings us back to the tension between uniform vs. proprietary standards. Like the open-source building, uniform standards will lower the barriers to entry when it comes to IoT startups. At the same time, It also vastly reduces the difficulty an adversary must surmount in order to initiate a successful attack.

Hopefully, this combined effort by Google, Apple, and Amazon will lead to a uniform standard that doesn’t sacrifice security and privacy. Or maybe it’s just window dressing and we shouldn’t hold our breath.